W3C home > Mailing lists > Public > public-xmlsec@w3.org > August 2008

Meeting record: XML Security WG Weekly 2008-07-16

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 12 Aug 2008 16:13:37 +0200
To: public-xmlsec@w3.org
Message-ID: <20080812141337.GA20075@iCoaster.does-not-exist.org>

Minutes from our meeting on 2008-07-16 were approved and are
available online here:


A text version is included below the .signature.

Thomas Roessler, W3C  <tlr@w3.org>


                XML Security Working Group Face-To-Face Meeting

16 Jul 2008


   See also: [3]IRC log


          Subramanian Chidambaram (SC), Frederick Hirsch (fjh), Gerald
          Edgar (Gerald), Chris Solc (csolc), Konrad Lanz (klanz2), Thomas
          Roessler (tlr), Brian LaMacchia (bal), Hal Lockhart (hal), Bruce
          Rich (brich), Sean Mullan (sean), Magnus Nystrom (magnus), Anil
          Saldhana (anil), Rob Miller (rmiller), Juan Carlos Cruellas,
          Pratik Datta, Ed Simon

          Frederick Hirsch

          Konrad Lanz, Hal Lockhart


     * [4]Topics
         1. [5]Welcome, Attendance/Introductions, Agenda review
            (10:00-10:30 am, 30 min)
         2. [6]Scribing and Minutes (10:30 - 10:45 15 min)
         3. [7]Scribe duties and scribe selection process
         4. [8]WG Scheduling (10:45-11:15, 30 min)
         5. [9]Teleconference Scheduling
         6. [10]Upcoming meetings
         7. [11]Coordination
         8. [12]Introduction to W3C, W3C process and Tools [Thomas
         9. [13]Tools decisions and volunteers (14:00 - 15:00, 1 hr)
        10. [14]Using Tracker for Issues
        11. [15]Charter Review
        12. [16]WG Project Planning
        13. [17]Overview of Principles and Requirements
        14. [18]Review of workshop
        15. [19]Presentation by Magnus
        16. [20]Editors and volunteers
        17. [21]Best Practices Document
        18. [22]Errata

   <trackbot> Date: 16 July 2008

1) Welcome, Attendance/Introductions, Agenda review (10:00-10:30 am, 30 min)

   Hello Everyone,

   <fjh> Scribe: Konrad Lanz

   fjh: Introducing himself - work for Nokia, chairing this group, was
   chair of previous XML Security Specifications Maintenance WG.
   Participated in original XML Signature and Encryption working groups
   and XKMS. Active in OASIS, including the Board and SAML TC.

   brich: intro ...

   SC: intro ... working for Nokia, on SAML OpenID ...

   bal: intro ... XMLSEC, WSS, ...

   hal: intro ... WSS, WS-SX, SSTC - Co-Chair, Oasis Technical Advisor ...

   tlr: intro ,,, team contact, means I'm your man in W3C ...

   klanz2: ... XML Toolkit @ IAIK/SIC

   jcc: upc ... standardization

   csolc: five years in the area with adobe

   gerald: client of XMLDSIG ...

   sean: intro ... SUN, XML sec implementions, JSR105 ...

   @all: please augment where needed ...

   RESOLUTION: Dinner @21:00, all are coming

   rdmiller: intro ... MITRE Supports US Dept. of Defense, daily contact
   with XML and XMLSEC, user perspective and best practices pperspective
   ... update crypto, NSA suite B

   magnus: inro ... working for RSA, standardization PKCS

   <rmiller> silence

   setting up again

   <tlr> yes, we got dropped

   <tlr> sorry

   lost the bridge

   fjh: minutes @ every meeting
   ... on the irc chat
   ... notes during the meeting, you are encouraged to augment and correct
   ... minutes are public
   ... minutes are in general public, n
   ... but we might make them private until approved
   ... part of the job of scribing is cleaning the minues at the end

   fjh: its cumbersome to move minutes around from private to public

   klanz: member-list

   tlr: yes, the member list, ...

   RESOLUTION: Scribe will post the minutes once edited to member-list and
   as soon as approved to the public-list

   Subject: [minutes-draft], [minutes-approved] to be used ...

   klanz2: we can then use the list searc features to list all the minutes

   <fjh> scribe instructions




   fjh: volunteer for scribing, ....
   We will share scribing round robin in the WG, apart from the Chair and
   Team contact.

2) Scribing and Minutes (10:30 - 10:45 15 min)

2a) Scribe duties and scribe selection process


2b) Scribe volunteers for F2F:

   Wed morning (16 July am) - Konrad

   Wed afternoon (16 July pm) - Hal

   Thursday morning (17 July am) - Bruce

   Thursday afternoon (17 July pm) - Sean

   hal: leaving tomorrow ...

   brich: thursday morning

   sean: thursday afternoon

3) WG Scheduling (10:45-11:15, 30 min)

   fjh: one hour to little, need two hours

3a) Teleconference Scheduling

   <fjh> [27]http://www.w3.org/2002/09/wbs/42458/xmlsec2008telco/

   RESOLUTION: Tuesdays 10am ET, two hours

3b) Upcoming meetings

   fjh: one more F2F, tech planary colocated
   ... 20-21. Oct. 2008
   ... What joint meeting do we need?
   ... EXI, XML Core,

   klanz: namespace inheritance -> xml core
   ... enveloping signatures

   <klanz22> hal: encapsulation


   <scribe> ACTION: fjh to arrange joint meetings on the coordination call
   [recorded in

   <trackbot> Created ACTION-4 - Arrange joint meetings on the
   coordination call [on Frederick Hirsch - due 2008-07-23].

   fjh: telco starting on time, ... we start on time ... try to be on time
   ... charter, do we need the infoset, what to do with C14n, doe we need
   transforms ...

   hal: need to be aware of interdependencies and conflicting goals

   fjh: we need to take advantage of members as resource for editing,
   actions etc ....
   ... maintaining issues lists
   ... workshop results last year, went into requirements ...

   that one ?:


   hal: ECC SuiteB, (IPR ... ), no one from NIST or NSA here ?
   ... Encryption and Signature in hardware?

   rdmiller: have contact into both areas, re SuiteB and hardware

   <trackbot> ACTION-27 -- Robert Miller to contact crypto hardware and
   suiteB experts in NSA regarding XML Security WG and possible
   involvement -- due 2008-08-08 --OPEN

   <trackbot> [31]http://www.w3.org/2008/xmlsec/track/actions/27

   bal: even if do not get direct involvement, we hope we can obtain feed
   back ...
   ... on request.

5) Introduction to W3C, W3C process and Tools [Thomas Roessler] (11:30 -
12:00, 30 min) am ET)


   hal: heart beat requirement?

   tlr: draft every three month for each deliverable

   bal: Don Eastlake? IETF?

   hal: Encryption not an RFC ...

   tlr: minutes, we value availability over perfection
   ... vCal availiable for tracker items ... there is a feed

   <fjh> can enter action-# to get link to it

   <fjh> action-001

   <tlr> action-001?

   <trackbot> ACTION-1 -- Thomas Roessler to test trackbot-ng -- due
   2007-04-12 -- CLOSED

   <trackbot> [33]http://www.w3.org/2008/xmlsec/track/actions/1

   NOTE: Update the association with the new Workgroup, and associate

   <tlr> COI policy

   <sean> ack

   general discussion on IPR

   tlr: WG notes are not covered by the IPR policy

   brich: did we have any under the maintenance group?

   tlr: test cases, best practices ...

   hal: distinction between public review and WG issues raised?

   fjh: process wise different
   ... external comments will be discussed ... internal one have to be
   specific ....
   ... we need to more formal to get get more review ...

   tlr: use working relations and formal contact where suited ...

   hal: there is a difference between getting plain feedback vs. formal
   feed back from other groups that might not even be existence any more

   <scribe> ACTION: fjh to check how the formal OASIS liasion is working.
   [recorded in

   <trackbot> Created ACTION-5 - Check how the formal OASIS liasion is
   working. [on Frederick Hirsch - due 2008-07-23].

   hal: the conflict of interest policy is section 3.1.1 W3C process ...

   <tlr> [36]http://www.w3.org/2001/11/StdLiaison#OASIS needs update,
   incidentally. That's an action on me. I suspect.

   <anil> zamkim, code?

9). Tools decisions and volunteers (14:00 - 15:00, 1 hr)

   fjh: home page simple, if you want to enhance please do so its in cvs
   ... we should get a wiki, wiki didn't work to good in the past
   ... volunteers for main page?
   ... tracker, lists issues and actions ...

   <jcc> FH; something that we did not used: tool for creating new issues

   <anil> [37]http://www.w3.org/2006/WSC/track/issues/200

   <anil> example ^^^

   <jcc> Link: www.w3.org/2008/xmlsec/track/issues/new

   <jcc> FH: certain basic rules for new issues, including meaningful
   information categories

   <jcc> details in www.w3.org/2002/ws/policy/

   <jcc> actually in [38]http://www.w3.org/2002/ws/policy/#issues

   fjh: issues lists is a good tool to move issues through states

Using Tracker for Issues

   <tlr> ISSUE: tracker doesn't get its e-mails through

   <trackbot> Created ISSUE-2 - Tracker doesn't get its e-mails through ;
   please complete additional details at
   [39]http://www.w3.org/2008/xmlsec/track/issues/2/edit .

   fjh: we need a volunteer to take responsibility of making sure external
   issues get on the list

   Gerald: Volunteered to take care of issue Tracking

   fjh: Thanks

   <Zakim> anil, you wanted to mention that the spec can be updated at
   places with issue numbers and dealt with as and when completed

   <rmiller> Rob Miller is going offline and will not return until
   tomorrow morning.

Charter Review

   <fjh> Pratik has been working on best practices, interested in

   fjh: versioning policy constrains us

   work on xml enc is limited to dsig compatability and algs

   updates to c14n will be jointly issued by us and xml core in order to
   retain IPR commitments

   members of the wg are encouraged to nominate other groups who we should
   coordinate with

   thomas to act as informal liasion with IETF

   hal, jcc & fjh will liaise with OASIS TCs

   bruce to informally liaise with WS-Fed

   need to add ebxml tcs to list of OASIS TCs

   sean to investigate ebxml liasion

   <scribe> ACTION: sean to investigate ebxml liasion [recorded in

   <trackbot> Created ACTION-6 - Investigate ebxml liasion [on Sean Mullan
   - due 2008-07-23].

   <scribe> ACTION: bruce to informally liaise with WS-Fed [recorded in

   <trackbot> Created ACTION-7 - Informally liase with WS-Fed [on Bruce
   Rich - due 2008-07-23].

   <anil> I am getting involved in some healthcare security standard
   groups (no one in particular)

   hal & fjh to liaise with WS-I BSP

   will use workshop mailing list to communicate with interested parties

   bruce & sean to liaise with Java community

   klanz: need to tradeoff between maint and major changes

   ... need requirements discussion first

   hal: could do low impact items first, but risk of not driving adoption
   of later step

   sean: can have actions on wg members to provide proposals on different

WG Project Planning

   fjh: need to focus on reqs

   sean: tag with risk level

   fjh: do best practices and maint in parallel

   bal: whan we gather reqs will see a break btw simple and hard
   ... then we can decide tactics
   ... worry about task force idea
   ... relatively small group

   fjh: make easy decisions up front

   bal: will be pressure to produce short term spec
   ... will be easier to get impls

   tlr: have ability to split or join specs

   fjh: want to defer this for now

overview of principles and reqs

   fjh: principles and requirements
   ... valuable exercise to go through ...
   ... walking through slide with original requirements ...
   ... design for security and mitigate attacks ...
   ... some workshop feed-back shows that there was a *lot* of balancing
   going on ...
   ... maybe solve through profiling ...
   ... revisit extensibility requirements ...
   ... interoperability and compatibility are important, and new since
   we're talking about Vnext ...
   ... should recognize layered architecture of implementations ...
   ... I probably missed some principles ...


   RESOLUTION: have a list of principles as basis for work

   bal: needed both principles and usecases

   klanz: may find things which are incompatible with principles
   ... principles SHOULD be followed

   bal: principles may be in conflict

review of workshop

   hal: propose 4 categories: security, performance, new features,
   operational errors

   fjh: how should we process workshop papers?

   bal: create reading groups

   <bal> and schedule a few workshop papers/presentations for discussion
   each week during the conf call
   ... review batch for each call to generate issues and suggestions

   klanz: possibility of requesting profile of xslt?

   <tlr> XSL is being chaired by Sharon Adler, IBM

   <tlr> [43]http://www.w3.org/2006/06/XML/xsl.html

   klanz: noted that might need xslt transform to be able to sign
   including the whitespace generated by transform

   bal: xsl came in as a part of web arch
   ... need to take a look at actual use
   ... maybe need to drop things which cause security problems
   ... may not need to carry forward all requirements from orginal dsig

   klanz: most of our customers use XSLT

   <EdS> XSLT can also be used as a means to collect and meld data from a
   variety of sources before hashing.

   <fjh> review original requirements of dsig

   bal: RDF was a requirement at W3C at that time

   <pdatta> can you share the URL for this original requirements document

   <fjh> [44]http://www.w3.org/TR/xmldsig-requirements

   bal: 3.2-4 was a reaction to CMS limitations
   ... 3.2 supports compound documents

   <tlr> look at pkcs1 in 6.4.2

   <tlr> it includes an identifier for the hash algorithm

   <tlr> (rsa-sha1 algorithm)

   general uncertainty about purpose of 3.3 point 3; likely
   interpretation: data in XML Signature takes precedence over data in
   crypto blob

Presentation by Magnus


   hal: notes support for derived keys in various ws* specs, should
   consider those requirements and attempt to unify

   hal: use cases?

   magnus: not really there, indeed

   brich: derived keys that WS-SecureConversation makes use of

   ... can proposal be extended to cover use cases there?

   ... are that will have to be done sooner or later

   magnus: do not see why not; maybe take this conversation offline

   hal: specs using derived keys are wss username token, ws-trust,

   ... and ws-secureconversation

   brich: bulk in secure conversation

   not latest: [46]http://www.oasis-open.org/specs/index.php#wssecconv1.3

Editors and volunteers

   fjh: editor per spec vs. editor team
   ... should use XMLSPEC
   ... need to set up properly to use ant
   ... compatable with any XSLT stream
   ... already have editors for best practices

   <tlr> ACTION: thomas to read this action's number [recorded in

   <trackbot> Created ACTION-8 - Read this action's number [on Thomas
   Roessler - due 2008-07-23].

   <scribe> ACTION: gerald to test Issues entry and list generation
   [recorded in

   <trackbot> Sorry, couldn't find user - gerald

   <scribe> ACTION: tlr to fix Tracker [recorded in

   <trackbot> Created ACTION-9 - Fix Tracker [on Thomas Roessler - due

   RESOLUTION: No call on July 22nd or 5 August.

   ... No call on Aug 5

Best Practices Document Overview

   <tlr> for context:

   <klanz2> [51]http://www.w3.org/TR/xmldsig-core/#sec-Secure

   <klanz2> reviewing 8.1.1 - 8.1.3 : A quote from 8.1.3: Some
   applications might operate over the original or intermediary data but
   should be extremely careful about potential weaknesses introduced
   between the original and transformed data.

   RESOLUTION: Accept Best Practices as a Work Item, based on previous

   bal: need to consider best practices for new specs

   <bal> and whether some of these turn into a processing model for
   applications verifying sigs

   RESOLUTION: Pratik to continue editing best practices document

   konrad: does best practice require implementation experience?

   hal: should be sure it works

   <scribe> ACTION: fjh to update wg page to include issues link [recorded
   in [52]http://www.w3.org/2008/07/16-xmlsec-minutes.html#action12]

   <trackbot> Created ACTION-10 - Update wg page to include issues link
   [on Frederick Hirsch - due 2008-07-23].

   bruce: put non-normative info in back of spec, could have best
   practices there as well


   tlr: process, once approved add to errata document, but non-normative
   until new edition published

   ... decide on update of REC when appropriate, enough docs

   ... not update REC or red-line at this time

   <fjh> WG should review the errata and we will decide whether to approve
   on next call

   <fjh> document section link

   <fjh> issue link




   1. http://www.w3.org/
   2. http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0000.html
   3. http://www.w3.org/2008/07/16-xmlsec-irc
   4. http://www.w3.org/2008/07/16-xmlsec-minutes.html#agenda
   5. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item001
   6. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item002
   7. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item003
   8. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item01
   9. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item02
  10. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item03
  11. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item04
  12. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item05
  13. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item06
  14. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item07
  15. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item08
  16. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item09
  17. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item10
  18. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item11
  19. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item12
  20. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item13
  21. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item14
  22. http://www.w3.org/2008/07/16-xmlsec-minutes.html#item15
  23. http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html
  24. http://www.w3.org/2007/xmlsec/Group/Scribe-Instructions.html
  25. http://tinyurl.com/find-minutes-approved
  26. http://tinyurl.com/find-minutes-draft
  27. http://www.w3.org/2002/09/wbs/42458/xmlsec2008telco/
  28. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action01
  29. http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0006.html
  30. http://lists.w3.org/Archives/Public/public-xmlsec/2008Jul/0007.html
  31. http://www.w3.org/2008/xmlsec/track/actions/27
  32. http://www.w3.org/2008/xmlsec/w3c101#%281%29
  33. http://www.w3.org/2008/xmlsec/track/actions/1
  34. http://www.w3.org/2005/10/Process-20051014/policies.html#coi
  35. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action06
  36. http://www.w3.org/2001/11/StdLiaison#OASIS
  37. http://www.w3.org/2006/WSC/track/issues/200
  38. http://www.w3.org/2002/ws/policy/#issues
  39. http://www.w3.org/2008/xmlsec/track/issues/2/edit
  40. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action07
  41. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action08
  42. http://www.w3.org/2008/xmlsec/f2f-2008-07-16/rqmts/2008-07-12-xmlsec-rqmts.ppt
  43. http://www.w3.org/2006/06/XML/xsl.html
  44. http://www.w3.org/TR/xmldsig-requirements
  45. http://www.w3.org/2008/xmlsec/f2f-2008-07-16/XML-Encryption-Derived-Keys/
  46. http://www.oasis-open.org/specs/index.php#wssecconv1.3
  47. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action09
  48. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action10
  49. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action11
  50. http://www.w3.org/2007/xmlsec/Drafts/xmldsig-bestpractices/
  51. http://www.w3.org/TR/xmldsig-core/#sec-Secure
  52. http://www.w3.org/2008/07/16-xmlsec-minutes.html#action12
  53. http://www.w3.org/TR/xml-c14n11/#Example-DocSubsetsXMLAttrs
  54. http://lists.w3.org/Archives/Public/public-xmlsec-maintwg/2008Jun/0021.html
  55. http://www.w3.org/TR/xmldsig2ed-tests/#c14n11xmlbase-c14n11spec-102
  56. http://www.w3.org/TR/xmldsig2ed-tests/#c14n11xmlbase-c14n11spec2-102

Thomas Roessler, W3C  <tlr@w3.org>
Received on Tuesday, 12 August 2008 14:14:16 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:55:09 UTC